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1 Introduction 

We first describe secret sharing protocols and combinatorial distributions of shares. After this 
introductory definitions we start with a secret sharing scheme using directly the combinatorial 
distribution of shares. Based on this we present two schemes in which we apply regular Nielsen 
transformations in connections with faithful representations of free groups and the Nielsen re¬ 
duction theory. In the last sections we modify the secret sharing schemes to a private key 
cryptosystem and finally Nielsen transformations are used for a public key cryptosystem which 
is inspired by the ElGamal cryptosystem. The new cryptographic protocols are in part in the 
dissertation from A. Moldenhauer [6] under her supervisor G. Rosenberger at the University of 
Hamburg. 

A (n,f)-secret sharing protocol, with n,t G N and f < n, is a method to distribute a secret 
among a group of n participants in such a way that it can be recovered only if at least t of them 
combine their shares. Hence any group of t — 1 or fewer participants cannot calculate the secret. 
The number t is called threshold. The person who distributes the shares is called the dealer. 

D. Panagopoulos presents in his paper [S] a (n, t)-secret sharing scheme using group presentations 
with solvable word problem. Here we use combinatorial distributions of the shares similar to 
those introduced in the paper of D. Panagopoulos: 

To distribute the shares in a (n, t)-secret sharing scheme the dealer does the following steps: 

1. Galculate m = , the number of all elements, for example {oi, 02 ,..., am}, the partic¬ 

ipants need to know for the reconstruction of the secret. 

2. Let Ai,A 2 , ..., Am be an enumeration of the subsets of {1, 2,..., n} with t — 1 elements. 
Define n subsets Ri, R 2 , ■ ■ ■, Rn of the set {oi, 02 ,..., am} with the property 

Qj G Ri i 0 Aj for j = 1, 2,... ,m and i = 1,2,... ,n. 

3. The dealer distributes to each of the n participants one of the sets Ri, R 2 ,..., Rn- 

The new protocols in this paper are based on Nielsen transformations, which are the basis of 
a linear technique to study free groups and general infinite groups. We now review some ba¬ 
sic definitions concerning regular Nielsen transformations and Nielsen reduced sets (see [T] or IS]). 

Let F be a free group on the free generating set X := {xi, X 2 , •..} and let U := {ui,U 2 ,...} C F. 
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Definition 1.1. An elementary Nielsen transformation on 

U = {ui,U 2 , ■ ■ ■} is one of the following transformations 

(Tl) replace some Ui by 

(T2) replace some Ui by UiUj where j ^ i; 

(T3) delete some Ui where ut = 1. 

In all three cases the Uk for i ^ k are not changed. A (finite) product of elementary Nielsen 
transformations is called a Nielsen transformation. A Nielsen transformation is called regu¬ 
lar if it is a finite product of the transformations (Tl) and (T2), otherwise it is called singular. 
The set U is called Nielsen-equivalent to the set V, if there is a regular Nielsen transformation 
from U to V. 

Definition 1.2. Consider elements vi,V 2 ,V 3 of the form call U Nielsen reduced if for all 
such triples the following conditions hold: 


(NO) vi / 1; 


(Nl) viV 2 7 ^ 1 implies \viV 2 \ > |ui|, |u 2 |; 

(N2) viV 2 / 1 and U 2 U 3 / 1 implies \viV 2 V‘j,\ > |ui| — |u 2 | + It’s!- 
Here | • | denotes the free length in F. 

Proposition 1.3. If U = {ui,U 2 , ■ ■ ■ ,Un} is finite, then U can be carried by a Nielsen trans¬ 
formation into some V such that V is Nielsen reduced. 

For a proof see [H Theorem 2.3] or [5l Proposition 2.2]. 

For the secret sharing scheme based on Nielsen transformations we will only use regular Nielsen 
transformations. We agree on some notations. 

We write (Tl)j if we replace Ui by and we write (T2)jj if we replace Ui by UiUj. If we want 
to apply t-times one after the other the same Nielsen transformation (T2) we write [(T2)jj]* and 
hence replace Ui by In all cases the for i k are not changed. 

2 A combinatorial secret sharing scheme 

Now we present a (n,t)-secret sharing scheme, whereby the secret is the sum of multiplicative 
inverses of elements in the natural numbers. For the distribution of the shares the dealer uses 
the method of D. Panagopoulos described in Section [TJ 

The numbers n and t are given, whereby n is the number of participants and t is the threshold. 

1. The dealer first calculates the number m = 

2. He chooses m elements oi, 02 ,..., Om G N. Prom these elements he constructs analogously 
as in Section [1] the sets Ri, R 2 , ■ ■ ■, Rn- The secret S is the sum 



3. Each participant Pi gets one share Ri, 1 < i < n. 
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If t of the n participants come together they can reconstruct the secret while they first combine 
their t private sets Ri and get by construction the set R = {oi, 02 ,..., am}- The secret is the 
sum of the inverse elements in the set R, that is 


m - 


i=l 


If the dealer needs a special secret S' € Q he gives every participant one more element x G Q in 
each Ri, with 


X := 


S 

S' 


The participants get S by multiplying the reconstructed secret S with x. 

Each element aj is exactly contained in n — (f — 1) subsets. Hence for each j = 1,2,... ,m 
the element aj is not contained in t — 1 subsets from • • • ,Rn}- As a consequence, aj 

is in each union of t subsets. Otherwise, if just t — 1 arbitrary sets from {iii, R 2 , ■ ■ ■, Rn} are 
combined, there exist a j so that the element Uj is not included in the union of this sets. 

If just one element aj is absent, the participants do not get the correct sum S, and hence cannot 
compute the correct secret. 


Example 2.1. We perform the steps for a {4,3)-secret sharing scheme. It is n = A and t = 3. 
The dealer follows the steps: 


1. He first calculates m = = ( 2 ) = 6 . 

2. The dealer chooses the numbers ai ;= 2,02 ;= 1,03 := 2,04 
as := 4 and oq := 2. The secret is 




1 


Oi 




(a) The six subsets with size 2 of the set {1,2, 3,4} are 

Hi = {1,2}, H2={1,3}, H 3 = {1,4}, 

H 4 = {2,3}, H5={2,4}, He = {3,4}. 

With help of the Hj the dealer gets the sets Ri, R 2 ,Rs and i? 4 , which contain elements 
from {ai, ... ,a6}. He puts the element aj for which i is not contained in the set Aj 
for i = 1,...,4 and j = 1,... ,6, into the set Ri: 

1 ^ H 4 , Hs, He Ri = {a 4 , as, ae} , 

2 ^ H2, H3, He i?2 = {02, as, ae} , 

3 ^ Hi, H 3 , Hs i ?3 = {ai, a 3 , as} , 

4 ^ Hi, H 2 , H 4 i ?4 = {ai, a 2 , a4} . 


3. The dealer distributes the set Ri to the participant R, for i = 1,... ,4. 


If three of the four participants come together, they can calculate the secret S. For example the 
participants Ti,T 2 and T 3 have the set 

R :=Ri U R 2 U Rs 

= {a4, as, ae} U {a 2 , as, ae} U {ai, as, as} 

= {ai, a 2 , as, 04 , as, ae} , 
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and hence get the secret 


6 

5=E 


i=l 


1 _ 23 

Qi 8 


with Qi G R. 


3 A secret sharing scheme using a regular Nielsen transforma¬ 
tion 


In this section we describe a (n, t)-secret sharing scheme which extends and improves the ideas 
in Section [5] by using Nielsen transformations. We consider free groups as abstract groups but 
also as subgroups of the special linear group of all 2 x 2 matrices over Q, that is, 


SL{2,Q) 


; a, 6, c, d G Q and ad — be = 1 


We use the special linear group over the rational numbers because these numbers can be stored 
and computed more efficiently on a computer than irrational numbers. 

Let L" be a free group in SL{2, Q) of rank m := . The dealer wants to distribute the shares 

for the participants as described in Section [TJ The shares will be subsets of a free generating set 
of the group F. 

Steps for the Dealer: The numbers n and t are given, whereby n is the number of participants 
and t is the threshold. We have m := 

1. The dealer chooses an abstract free generating set X for the free group F of rank m, that 
is 

F = {X; ) with X := {xi,X 2 ,... ,a:m}- 
He also needs an explicit free generating set M, that is 

F = (M; ) with M := {Mi, M 2 ,..., M^} 

and Mi G SL{2,Q). 


2. With the known matrices in the set M he computes the secret 


m ^ 

^ \n.-\ 


e 


\Qjj\ 
j=i I 


with aj := tr{Mj) G Q, 


tr{Mj) is the trace for the matrix Mi := 


d 


G 5L(2,Q), that is, tr{Mi) := a + d. If 


the dealer needs a special secret he can act as in Section [2] described. 


3. The dealer constructs the shares for the participants in the following way: 

(a) He hrst applies a regular Nielsen transformation simultaneously for both sets X and 
M to get Nielsen-equivalent sets U and N to X and M, respectively (see Figured]). 


X := {X1,X2, .. .,Xm} 

regular Nielsen 
transformation 

U := {ui,U2, .. .,Um} 


M:= {Mi,M2,...,M^} 

regular Nielsen 
transformation 

N:= {N^,N2,...,Nm} 


Figure I: Simultaneously regular Nielsen transformation 
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The elements Ui are words in X and the elements Ni are words in M. Hence we have 
N, E SL{2,Q). 

(b) The dealer now uses the method of D. Panagopoulos to split U and N and to get the 
shares {Ri, Sj) for the participants with Ri C U and Sj C N. 

4. The dealer distributes the shares. 

If t of the n participants combine their parts they obtain the sets U and N. The secret can be 
recovered as follows: 


1. The participants apply regular Nielsen transformations in a Nielsen reduction manner for 
U and step by step simultaneously for N. By Proposition 11.31 they get Nielsen reduced 
sets ,x ^2 1 ■ ■ ■ 1 ..., M^} with e*, <5* E {+1, —1}, see 

Figure [2l 


U := {ui,M2, • • -^Ura] 

regular Nielsen 
transformations 

-A. ? *^2 ’ • • • ’ J 


regular Nielsen 
transformations 


Figure 2: Simultaneously regular Nielsen transformations 


2. With the knowledge of the set it is easy to reconstruct the secret 

m ^ 

S = 1 — I E Q"'' with tr{Mj) = aj E Q. 

j = l -I 

Recall that = tr{Mi) for i = 1,..., m. 

Less than t participants can neither get the whole set t/, which is Nielsen-equivalent to X, nor 
the set N, which is Nielsen-equivalent to M. 

For the calculation of the secret, the participants need the set M, because the secret depends 
on the traces of the matrices Mj E M. The participants need both sets U and N. If they just 
have one set U or N they cannot get information about the set M. 

If the set U is known, it is only known which Nielsen transformation should be done to get the 
Nielsen-equivalent set X, but it is unknown on which matrices they should be done simultane¬ 
ously. 

If only the set N is known, then the matrices in SL{2, Q) are known, but nobody knows which 
Nielsen transformation should be done on N to get the set M. It is also unknown how many 
Nielsen transformations were used. 

In the book [4] of J. Lehner on page 247 a method is given to explicitly obtain a free generating 
set M for a free group F on the abstract generating set X := {xi, X 2 ,..., Xm}- 

Example 3.1. Let F be a free group with countably many free generators xi,X 2 ,---- Corre¬ 
sponding to Xj define the matrix 


Mj = 




5 




with rj € Q such that the following inequalities hold: 

— Vj > 3 and ri > 2. (1) 

The group G generated by {Mi, M 2 , ■ ■ ■} is isomorphic to F (see m)- 
We now present an example for this secret sharing scheme. 

Example 3.2. We perform the steps for a (3, 2)-secret sharing scheme with the help of the 
computer program Maple 16. It is n = 3, t = 2 and hence m = (^) = 3. 

First the Dealer generates the shares for the participants. 

1. The dealer chooses an abstraet presentation for the free group F of rank 3 

F = (X; ) with X := {xi,X 2 ,xz{. 

He takes an explieit presentation 


F = (M; ) with M := [Mi, M 2 , M 3 }, 

Mi G 5L(2,Q) as above. We first mention that the inequalities ([I]) hold for 

n = ’’s = y, rs = 11 


and hence the set of the matrices 


Ml = 

M2 = 
M3 = 




15 




1 


15 
2 

-11 -1 + 11 ^ 
1 -11 


1 -U’ 

15 221 


1 

-11 120 

1 -11 


1 ^ I ) 
2 


is a free generating set for a free group of rank 3. 

2. We have 

ai := tr(Mi) = —7, 02 := tr{M 2 ) = —15, 03 := tr{M^) = —22, 

and hence the seeret is 

A 1 589 


• 1 

j=i J 


ai 2310 


3. Construction of the shares for the participants: 

(a) First the dealer applies regular Nielsen transformations (NTs) simultaneously for both 
sets X and M to get Nielsen-equivalent sets U and N to X or M, respectively. These 
transformations are shown in the Table{^ 
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Table 1: Nielsen transformations (NTs) of the dealer 


NTs theoretical set A 


explicit set M 



{XI,X2,X3,} 


(T1)2 \{xi,X2^,Xz} 


(T2)i.2 \{xix^^,x^^,xz} 


[(^ 2 ) 3 , 2 ]^ \{XIX^\X^\ X3X2 



7 A),(:! ™ 



\ ( 15 


/ 80371 

597401 \ 


-63664^ 

109 \ 

1 ^ 

4 1 

( -8565 

-29 ) '> 

^ 5145 

38243 j 1 

V 799 

5939 ) 


(Tl)i {x2X^^,X2^X3X2^,X3X2^} <( 


(T2)i.2 {x2X^^X2^X3X2^, 

X 2 ^X 3 X 2 ^, X 3 X 2 ^} 


(T1)3 {x2X^^X2^X3X2^ , 

X^"^ X3X2^ , X2X'^^} 


(T2)3.2 {X 2 X 3 ^^2 ^a;3a^2 

X2^X3X2^, X2X'^^ X2^ X3X2^} 



{ / 3452369 25661603 \ 

^ 237917 1768447 j 

/ 80371 597401 \ ^ 

/ 4 4 \ ( —8565 

^ 5145 38243 j 5 799 


-8565 -63664^ 
799 5939 . 


/ 3452369 25661603 \ 

\ ^ 237917 1768447 J 

( 59^ \ 

^ 5145 38243 j —799 


5939 63664 ^ 
-799 -8565 ; 
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The Dealer obtains the sets 


U = {ui,U2,U3} 


{x 2 Xi ^X 2 ^X 3 X 2 X2 ^2:3X2 X2X3 ^^2 ^^3X2 


and 


N = {N,,N2,N3} 

{ / 3452369 25661603 \ / 80371 597401 \ 

2379'l7 1768447 j > 5145 38243 J 


/ 1132425929 
152350279 


8417369243 \ 

II 32 I 25989 j 


(b) He gets the shares {Ri,Sj) for the participants with Ri C U and Sj C N as follows: 

i. Itism= = (3) = 3. 

ii. The dealer chooses the elements 01 , 0 , 2 , 0,3 and gets the three sets 


Ai = {l}, ^ 2 = {2}, ^3 = {3}. 

With the help of the Ai the dealer gets the sets R[,R2, and R'^ which contain 
elements from the set { 01 , 02 , 03 }. He puts the element dj by which i is not 
contained in the set Aj for i = 1, 2,3 and j = 1, 2,3, into the set R[. 

1 0 ^ 2 , ^3 R'l = {d- 2 , 03 } ) 

2 ^ Ai,A3 R'2 = (oi, 03} , 

3 0 ^ 1 , ^2 R'3 = {0,1,02} ■ 

Now we apply this to U and N to create the share-sets for the participants, 
respectively: 


Ri — {U2,'03} , Si—{N2,N3}, 

R2 = {ui,U3}, S2={Ni,N3}, 

R3 = {ui,U2}, S3={Ni,N2}. 

4 . The Dealer distributes to each participant a tuple {Ri,Sj). Participant Pi gets {Ri,S 2 ), 
P 2 gets {R 2 ,S 3 ) and P 3 gets (i? 3 ,S'i). 

Assume the participants Pi and P 2 come together to reconstruct the secret. They generate the 
sets U = {ui,U 2 ,U 3 } and N = {Ni, N 2 , N 3 }. The secret can be recovered as follows. 

The participants apply regular Nielsen transformations step by step simultaneously for both sets 
U and N to get and M^. The steps are shown in the Tahles\^ and\^ 













Table 2; Nielsen transformations (NTs) from the participants I 


NTs theoretical set U 


explicit set N 



{x 2 Xi^X 2 ^X3X2 

X2^X3X2^,X2XI^^X2^X3X2^} 


(T 1)2 \{x 2 X^ ^X 2 ^X 3 X 2 


X2X^ ^X2,X2X;j ^X2 ^X3X2 



/ 3452369 25661603 

4 4 

237917 1768447 

^2 2 . 

38243 597401 \ 


1132425929 8417369243 


4 4 

152350279 1132425989 


{T2)3,2\{x2X^ X 2 X 3 X 2 , 


{xlx^^X 2 , X^X^ 


3452369 25661603 \ 

4 4 \ 

237917 1768447 j 1 


( 38243 597401 \ 

5145 80371 j •) 


5939 63664 ^ 
-799 -8565 . 


(ri)2 {X 2 X^ ^X 2 ^X3X2 

X2^ X3X2^ , X^X'^^} 


3452369 25661603 

4 4 

237917 1768447 


—4 -4— \ f 5939 63664 > 

5145 38243 j t 1—799 —8565; 


(T2)2.3 {x2Xi ^X2 ^X3X2 
X 2 ,x^x^ } 


(r2)i,3 {x2 X^^X2^,X2 ^,xIx^^} 


(ri)2 {x2X^^X2^ tX2tX\x^'^} 


3452369 25661603 \ 

4 4 \ 

237917 1768447 J 5 


( 15 221 \ 

- - — \ ( 5939 63664 > 

-1 -M V-799 -8565 > 







(2 4 ^ 


4 ] 

/ 5939 

63664 ^ 

V-45 -22^ J’ 

1 -1 


1 -799 

-8565 j 
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Table 3: Nielsen transformations (NTs) from the participants II 


(T2),.2 

{X2X^ '",X2,X2X^ 


/ 15 221 ' 

/ 2 4 

’ V 1 

) ( 5939 63664 1 1 

j ) i -799 -8565 ) f 

{Tl)i 

{xiXf^,X2,X2Xf^} 

|(i53).l 

/ 15 221 \ 

2 4 ] 

^ 1 -fJ’ 

( 5939 63664 1 1 
i -799 -8565 ) f 

(T2),.2 

{xi,X2,xlxf^} 


(7 -5f) 

( 5939 63664 \ 1 
) 1 -799 -8565 J f 

{Tlh 

{xi,X2,X3Xf^} 

{(7 7)' 

(7 -v) 

( -8565 -63664 \ 1 
’ V 799 5939 J ( 

[(^ 2 ) 3 . 2 ]^ 

{XI,X2,X3,} 

{(7 7)' 

(7 -f) 



With the knowledge of the set 
reconstruct the secret easily. It is 




( -11 120 1 
I 1 -lU 


the participants can 


ai := tr{Mi) = —7, 02 := tr{M 2 ) = —15, 03 := tr{M^) = —22 


and hence it is 


1 1 1 _ 589 

7 15 ^ “ 2310' 

In general we can use any free matrix group F of rank m := for a (n, t)-secret sharing 

scheme as it is described in this section. The shares can be generated by the above method and 
are tuples (i?j, Sj) with Ri C U and Sj C N. Some other ideas for the secret S are 


5 := 


^ 1 

j=i J 


m m 

5 := \tr{Mi)\ or S ;= ^ \tr{Mi)\ or 

i=\ i=\ 

m m 

S := or S := ^^{tr{Mi))‘^ or 

i=\ i=l 

m 

2 rn 

S := tr([M 2 i_i, M 2 i]) if m is even or S := tr{Mf). 
i=\ i=\ 
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4 A variation of the secret sharing scheme based on Nielsen 
transformations 


We explain a variation of the secret sharing scheme described in Section [3l As in the previous 
sections, let F be a free group with the abstract free generating set X := {xi, X 2 , • • •, Xg}, g € N, 
that is, 


F={X; ). 

For a (n, t)-secret sharing scheme the dealer chooses a Nielsen reduced set U := {ui,U2, ■ ■ ■, Um} C 
F, with m = • The Ui are given as words in X. The secret is the sum 




1 


Ui 


with \ui\ the length of the word Ui. 

The dealer does a regular Nielsen transformation on the set U to get the Nielsen-equivalent set 
V (Figure [3]). 


U := {ui,U2, .. .,Um} 

regular Nielsen 
transformation 

V := {vi,V2, ■ ■ ■,Vm} 

Figure 3: Regular Nielsen transformation 


Each participant Pi , 1 < i < n, gets one set Ri C V, as above. 

If t of the n participants come together to reconstruct the secret, they combine their shares and 
get the set V = {ui,U2,..., Vm}- They have to find a Nielsen-reduced set U' := • • •, 

to V. They apply Nielsen transformations in a Nielsen reducing manner as described in [T] and 
[S] and get from V a Nielsen-reduced set U'. The secret is the sum 


s = E 



because YllLi Wi\ — YllLi Nielsen reduced sets U' and U (see [H Corollary 2.9]). 


5 A symmetric key cryptosystem using Nielsen transformations 

Before Alice and Bob are able to communicate with each other they have to make some arrange¬ 
ments. Let F be an abstract free group with the free generating set 
A = {xi,X 2 ,... ,Xg}, g € N\{1}. Let 


ifF ^ SL{2,^) 

Xi !-->■ Mi, 
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be a faithful representation of F into SL{2, Q) as in Section[3l The group G = ip{F) is isomorphic 
to F under the map xi i-)- Mi, for i = 1,..., g. 

Let N be the number of letters from the alphabet A = {ai,..., oat}, for instance N = 26. We 
assume that N > 5. 

Let U C F, U = {ui,..., un} be a basis of a free subgroup of F of rank N. Such systems U are 
easily to construct (see [1] or 0). 

There is the one to one assignment 

A^U 

aj !->■ Uj, for j = 1,..., N. 

Let U' = <f{U) = {U[, ..., C 5L(2,Q), Uj i-)> [/j for j = 1,... , A^. The set U' is a basis 
for a free subgroup of G. Now, Alice and Bob agree on a block sequence P := piP 2 ■ ■ ■ Pk with, 
say, 1 < Pi < 4 and k > 2, and for each pi they construct a regular Nielsen transformation /j 
from U' to a Nielsen-equivalent system fi{U') = {Vi(, ..., V/^}, fi{Uj) = ¥(., j = 1, ... ,N. The 
Nielsen transformations fi, 1 < i < k, should be pairwise different and given as sequences of 
elementary Nielsen transformations from U' to fi{U'). 

As soon as Alice an Bob agree on a Nielsen transformation /j they compute fi{U'), i = 1,2,... ,k, 
independent from each other even if they do not know the message. Hence they get a one to one 
assignment between the letters in their alphabet A and the matrices for the ciphertext depending 
from the part of the sequence P. This is shown in Tabled! 

Table 4: Assignment: Letters in A = { 01 , 02 ,... , 07 v} to matrices for the ciphertext depending 
from the part of the Sequence P 



Elements from the alphabet A 

Oi O2 ... Oat 

Sequence P 




Pi 


vu ••• 


P2 

K 

^0. ., 


Pk 


yL ••• 

yL 


Now, Alice wants to send a message S with z, z > 0, letters from A. To describe the procedure 
let first 

k 

^ = | 5 ’| = '^Pi- 

i=l 
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Alice cuts the message S into pieces corresponding to the sequence P, that is, 

S = aij • • • oip^ a2i • • • a2j,^ • • • Ofci • • • , 

with Uij € A for 1 < i < k and 1 < j < pi- Then she uses the Table 0] to get the matrices for 
the ciphertext depending on the sequence pi, 1 < i < k: 

U Qi. = at then at. Vl, l<t<N, 1 < j < Pi- 
The ciphertext C is the following sequence of matrices: 

with Vg^ € {Vg^, Vg^, ..., Vg^} for 1 ^ ^ /c and t < q < pg. Alice sends the ciphertext C just 

as a sequence of matrices to Bob. To reconstruct the message S Bob does the following steps: 

1. He cuts back the ciphertext into pieces as above corresponding to the known sequence P. 

2. Because he gets the same table as Alice (Table 0]) he can match V^. to at for the piece 
corresponding to pt, with l<i<k, l<j<pi and 1 < t < A^, and hence reads the 
message S in the alphabet easily. 

Now, assume that z = \S\ ^ Yli=iPi- 

If z < Yli=iPii there is no problem, Alice just ends with the last letter. 

If 5 = S 1 S 2 with |5i| = Yli=iPi then she first applies the above procedure to Si and continues 
then with S 2 in the same manner. 

Indeed, if z = |S| > S = S 1 S 2 ■ ■ * S'lyi with liSil — * * * — then we may improve 

the cryptosystem. Alice and Bob agree in addition on a permutation a G Sm, Sm the symmetric 
group on m symbols, and work with ''' Sa{m) instead of 5 = S 1 S 2 ■ ■ ■ Sm- Bob starts 

then the decryption procedure with applying first a~^. 

Remark 5.1. 1. If Alice wants to send several messages to Bob or viee versa, then to improve 

the system, they may replaee during each message transmission the Nielsen transformations 
fi by different Nielsen transformations, for instance by ft = ftf^ for a fixed Nielsen 
transformation f on U and k = 0,1,2,.... They also may replace the system U C F by 
different systems, such that U is not used too often. 

2. The cryptosystem is a poly alphabetic system. A matrix u £ U, and hence a letter a £ A, 
can be encrypted differently at different times. 

3. A possible attaeker Eve cannot read the message. She ean only see a sequenee of matriees 
in SL(2,Q). From this she neither knows the system U' = (p{U) nor the Nielsen trans¬ 
formations fi. Since the block lengths pi are very small (it is 1 < pi < A for all i) and 
since rather frequently the Nielsen transformations fi and the system U will be changed, a 
statistical frequency attack is almost impossible. 

Moreover, if we just have two N-tuples {Ai,..., A^r} and {Bi,..., B^} in SL(2, Q), it is 
hard to decide if they generate the same group, in fact, if A £ SL{2,Q) and H a subgroup 
of SL{2,Q), it is hard to decide if A £ H. 

More details and generalizations of the cryptosystem as well as more cryptographical analysis 
can be found in [6] by A. Moldenhauer. 
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6 Cryptosystem with Nielsen transformation inspired by the 
ElGamal cryptosystem 

Now we describe a public key cryptosystem for Alice and Bob which is inspired by the ElGamal 
cryptosystem (see [3] or [71 Section 1.3]), based on discrete logarithms, that is: 

1 . Alice and Bob agree on a finite cyclic group G and a generating element g a G. 

2 . Alice picks a random natural number a and publishes the element c ;= g^'. 

3. Bob, who wants to send a message m € G to Alice, picks a random natural number b and 
sends the two elements m ■ and g’^, to Alice. Note that = 17 “^. 

4. Alice recovers m = {m ■ c^) • (( 5 ^)°') ^ ■ 

In the following cryptosystem let € N be the number of letters from the used alphabet, 
X = {xi,X 2 ■ ■ ■ ,xn}, S = X U X~^ and F the free group on the free generating set X, that 
is, F = {X; ). The message is an element m & S*, the set of all words on S. Public are the 

free group F, its generating set X, an element a & S* and an automorphism / : E —>■ E, of 
infinite order, given as a Nielsen transformation or a Whitehead automorphism (see 12 ]). Each 
automorphism of E is a product of elementary Nielsen transformations between two bases of E 
(see [H Korollar 2.10]). 

The cryptosystem is now as follows: 

Public parameters: The group E = (X; ), an element a G E and an automorphism / : E ^ E 

of infinite order. 

1. Alice chooses a n G N and publishes the element c := f^{a) G S*. 

2. Bob picks a random f G N and his message m G S*. He calculates ci := m- f^{c) G S* and 
C 2 := /*(a) G S*. He sends the ciphertext (ci,C 2 ) G S* x S* to Alice. 

3. Alice calculates 

Cl • r{c 2 )~^ = m ■ f{c) ■ /"(C 2 )“^ 

= m • fir (a)) • (r (/*(«))-! 

= m./*+"(a).(r+*(a))-i 
= m, 

and gets the message m. 

Remark 6.1. A possible attacker, Eve, can see the elements c, C 2 ,ci G S*. She does not know the 
free length of m and the cancellations between m and f{c) in ci. Hence she gets no information 
about m from the element ci. Eve just sees words in the free generating system from which it is 
almost impossible to realize the exponents n and t, that is, the private keys from Alice and Bob, 
respectively. 

Remark 6.2. We give some ideas to enhance the security, they can also be combined: 

1. The element a G F is a common secret between Alice and Bob. They could use for example 
the Anshel-Anshel-Goldfeld key exchange protocol (see E) to agree on the element a. 

2. Alice and Bob agree on a faithful representation from F into the special linear group of all 
2x2 matrices with entries in Q, that is, g : F ^ SL(2,Q). Now m G S and Bob sends 
Cl := g{ni) ■ g{f{c)) G SL{2,Q) instead of c\ := m • /*(c) G S'*. Therefore Alice calculates 
Cl • {g{f^{c2)))~^ = g{m) and hence the message m = g~^{g{m)) G S. 
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